๐Ÿ” CVE Alert

CVE-2026-58492

UNKNOWN 0.0

grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0.

CWE CWE-89
Vendor getgrav
Product grav
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for getgrav grav

Be the first to know when new unknown vulnerabilities affecting getgrav grav are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getgrav / grav
< 1.2.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getgrav/grav/security/advisories/GHSA-8jxg-4pw9-xcwf github.com: https://github.com/getgrav/grav-plugin-database/commit/f6d058785c9e23df7efc5ea7556f8746fef286df github.com: https://github.com/getgrav/grav-plugin-database/releases/tag/1.2.0